I'm trying to get the SushiWiki web app up under IIS 6. This is an ASP.Net
app and I'm having security problems that I can't seem to resolve. For those
of you unfamiliar with a wiki, this app allows you to edit web pages via
your browser. (There's a lot more to wiki than that, but ...) The pages are
stored as XML files in a pub subfolder of the web application folder. The
XML is rendered via the ASP code to HTML pages. Old versions of pages are
saved into subfolders within pub. My problem is that I'm getting access
errors when the app attempts to save these old versions. The application is
running with impersonation = "False" in the web.config file.

I can clear the problem up by allowing Full Control to Everyone on the pubs
folder, but I'd rather avoid that sort of setting for obvious reasons.
Furthermore, I can then remove the Everyone account from the permissions
list and the app works OK "for a while" (or maybe it's for certain
subfolders.)

There are a couple of accounts that I would think would be appropriate for
setting access, <machine name>\ASPNET and <machine name>\IUSER_<machine
name>. Enabling Write on pub (and subfolders) for these accounts doesn't
reliably solve the problem.

Anyone have any suggestions as to how to proceed or troubleshoot this
problem?

Bill

What is the identity of the process that is handling your requests? That
identity must have write permissions on the files/folders in question.

Use FILEMON from sysinternals.com to observe the identity if you don't know
what you configured it as.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
[quoted text, click to view]
I'm trying to get the SushiWiki web app up under IIS 6. This is an ASP.Net
app and I'm having security problems that I can't seem to resolve. For those
of you unfamiliar with a wiki, this app allows you to edit web pages via
your browser. (There's a lot more to wiki than that, but ...) The pages are
stored as XML files in a pub subfolder of the web application folder. The
XML is rendered via the ASP code to HTML pages. Old versions of pages are
saved into subfolders within pub. My problem is that I'm getting access
errors when the app attempts to save these old versions. The application is
running with impersonation = "False" in the web.config file.

I can clear the problem up by allowing Full Control to Everyone on the pubs
folder, but I'd rather avoid that sort of setting for obvious reasons.
Furthermore, I can then remove the Everyone account from the permissions
list and the app works OK "for a while" (or maybe it's for certain
subfolders.)

There are a couple of accounts that I would think would be appropriate for
setting access, <machine name>\ASPNET and <machine name>\IUSER_<machine
name>. Enabling Write on pub (and subfolders) for these accounts doesn't
reliably solve the problem.

Anyone have any suggestions as to how to proceed or troubleshoot this
problem?

Bill

David
If I'm reading the Filemon dump correctly it's w3wp.exe. Does that sound
reasonable?

Bill

[quoted text, click to view]

Hi Bill,

You can find the account in the site application pool's Identity
tab(the default one is Network Service). Make sure this account have
write permission on the folder. Also, after any changes, you may need
to use iisreset in Start->Run to restart IIS - this refreshes IIS's
NTFS cache.

If it still doesn't work, use Security Audit to trace the whole
folder:
1) Right-click the folder and open properties dialog. In Security
tab->Advanced->Auditing, add Everyone group as a new entity and
select all the Failed events.

2) Go to administrative tools->Local Security Settings->Local
Policies->Audit Policy, enable all kinds of failure audits.

3) Then open event viewer, clear and save as current Security log.
Browse to the problem site to reproduce the error. Any failed events
appear in the log?

Let us know if the issue still persists.
Have a nice day,

WenJun Zhang
Microsoft Online Support
This posting is provided "AS IS" with no warranties, and confers no
rights.
Get Secure! - www.microsoft.com/security

Yes, it is Network Service as you suggested. I *thought* I'd allowed writes
on that folder for that account, but I've changed settings so much now that
it's certainly worth another try. Also, using Security Audit should help
isolate the problem if that doesn't fix it.

Thanks for the help,
Bill
[quoted text, click to view]

w3wp.exe would be the process. What is the identity of the process (ie
Windows User account?). Alternatively, you can go into the IIS Manager, find
the Web Application Pool that you placed the website/webapplication into,
and see (in Properties) what user context is being used. By default, it
would be NT AUTHORITY\Network Service

Cheers
Ken

[quoted text, click to view]
: David
: If I'm reading the Filemon dump correctly it's w3wp.exe. Does that sound
: reasonable?
:
: Bill
:
[quoted text, click to view]
: > What is the identity of the process that is handling your requests?
That
: > identity must have write permissions on the files/folders in question.
: >
: > Use FILEMON from sysinternals.com to observe the identity if you don't
: know
: > what you configured it as.
: >
: > --
: > //David
: > IIS
: > This posting is provided "AS IS" with no warranties, and confers no
: rights.
: > //
[quoted text, click to view]
: > I'm trying to get the SushiWiki web app up under IIS 6. This is an
ASP.Net
: > app and I'm having security problems that I can't seem to resolve. For
: those
: > of you unfamiliar with a wiki, this app allows you to edit web pages via
: > your browser. (There's a lot more to wiki than that, but ...) The pages
: are
: > stored as XML files in a pub subfolder of the web application folder.
The
: > XML is rendered via the ASP code to HTML pages. Old versions of pages
are
: > saved into subfolders within pub. My problem is that I'm getting access
: > errors when the app attempts to save these old versions. The application
: is
: > running with impersonation = "False" in the web.config file.
: >
: > I can clear the problem up by allowing Full Control to Everyone on the
: pubs
: > folder, but I'd rather avoid that sort of setting for obvious reasons.
: > Furthermore, I can then remove the Everyone account from the permissions
: > list and the app works OK "for a while" (or maybe it's for certain
: > subfolders.)
: >
: > There are a couple of accounts that I would think would be appropriate
for
: > setting access, <machine name>\ASPNET and <machine name>\IUSER_<machine
: > name>. Enabling Write on pub (and subfolders) for these accounts doesn't
: > reliably solve the problem.
: >
: > Anyone have any suggestions as to how to proceed or troubleshoot this
: > problem?
: >
: > Bill
: >
: >
: >
:
:

You are welcome. :-)
Please don't hesitate to update here if it still doesn't work. It's
our pleasure to be of assitance.

Regards,

WenJun Zhang
Microsoft Online Support
This posting is provided "AS IS" with no warranties, and confers no
rights.
Get Secure! - www.microsoft.com/security